Mozilla Foundation Security Advisory 2007-14

Path Abuse in Cookies

May 30, 2007
Nicolas Derouet
Firefox, SeaMonkey
Fixed in
  • Firefox
  • Firefox
  • SeaMonkey 1.0.9
  • SeaMonkey 1.1.2


Nicolas Derouet reported two problems with cookie handling in Mozilla clients. The first was that the cookie path parameter was not subject to any length checks, and this could be abused to cause the victim's browser to use excessive amounts of memory while it was running as well as waste the disk space used to store the cookie until it expired. Cookies sent by an HTTP server are limited to a reasonable size by the general limit on the size of an HTTP header, but cookies created programmatically through JavaScript and added using document.cookie could have a path of any length the script could create -- potentially several tens of megabytes.

The second issue was that the cookie path and name values were not checked for the presence of the delimiter used for internal cookie storage, and if present this confused future interpretation of the cookie data. Since the cookie host continued to be set correctly there was very little that could be done that the site could not legitimately set in the first place. One exception was the ability for a non-secure site to create "secure" cookies (it still could not read them), which might be a problem on some sites. Other fields in the file could be faked, but scripts that could set cookies at all could generally set them anyway.